2049479 – tripleo_swift_rsync_healthcheck issues lsof command and this command triggers ambigous SELinux warnings

Bug 2049479 - tripleo_swift_rsync_healthcheck issues lsof command and this command triggers ambigous SELinux warnings

Summary: tripleo_swift_rsync_healthcheck issues lsof command and this command triggers...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	16.2 (Train)
Hardware:	All
OS:	All
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Julie Pichon
QA Contact:	David Rosenfeld
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-02 10:25 UTC by Alex Stupnikov
Modified:	2022-03-23 22:13 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openstack-selinux-0.8.29-2.20211108135018.7211283.el8ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-03-23 22:13:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-12431	0	None	None	None	2022-02-02 10:47:51 UTC
Red Hat Product Errata	RHBA-2022:1001	0	None	None	None	2022-03-23 22:13:34 UTC

Description Alex Stupnikov 2022-02-02 10:25:48 UTC

Description of problem:

One of our customers reported a problem with tripleo_swift_rsync_healthcheck running on RHOSP director: this healthcheck calls lsof command which triggers SELinux denials (would provide them privately to avoid customer's data exposure). It looks like denials come from the fact that lsof command tries to access block device.

At the same time affected healthcheck is used to confirm that appropriate process is listening on appropriate port, so a call related to block device looks like a side effect to me.

[1] https://opendev.org/openstack/tripleo-common/src/branch/stable/train/healthcheck/swift-rsync
~~~
$ cat -n healthcheck/swift-rsync
     1	#!/bin/bash
     2	
     3	. ${HEALTHCHECK_SCRIPTS:-/usr/share/openstack-tripleo-common/healthcheck}/common.sh
     4	
     5	process='rsync'
     6	args="${@:-873}"
     7	
     8	if healthcheck_listen $process $args; then
     9	    exit 0
    10	else
    11	    ports=${args// /,}
    12	    echo "There is no $process process, listening on port(s) $ports, running in the container."
    13	    exit 1
    14	fi
~~~

[2] https://opendev.org/openstack/tripleo-common/src/branch/stable/train/healthcheck/common.sh#L85-L93
~~~
$ cat healthcheck/common.sh
...
    85	healthcheck_listen () {
    86	    process=$1
    87	
    88	    shift 1
    89	    args=$@
    90	    ports=${args// /,}
    91	    pids=$(pgrep -d ',' -f $process)
    92	    lsof -n -w -P -a -p${pids} -iTCP:${ports} -s TCP:LISTEN >&3 2>&1
    93	}

# lsof -n -w -P -a -p7 -iTCP:873 -s TCP:LISTEN
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
rsync     7 root    4u  IPv4 591056      0t0  TCP 192.168.24.1:873 (LISTEN)


Kindly ask you to take second look. Sosreport from affected node is attached to support case.


Version-Release number of selected component (if applicable):
Red Hat OpenStack Platform release 16.2.0 GA (Train)

How reproducible:
Healthcheck triggers SELinux warning.

Comment 2 Cédric Jeanneret 2022-02-02 14:50:52 UTC

It should be solved already, with this:

https://github.com/redhat-openstack/openstack-selinux/commit/fb8fe99479bb9106bbcc672068da8c2dc7cb5a33

@jpichon care to provide a package version for 16.2 providing the associated patch?

Thanks!

Cheers,

C.

Comment 3 Julie Pichon 2022-02-02 17:07:54 UTC

Thank you for the report and including examples of the denials. In the future, it would be helpful to also include the installed version of the openstack-selinux package and attach the audit log directly on the bugzilla.

The patch mentioned in comment 2 will be available in openstack-selinux-0.8.29-2.20211108135018.7211283.el8ost and addresses the denials from comment 1.

Comment 14 errata-xmlrpc 2022-03-23 22:13:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 16.2.2), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1001

Note You need to log in before you can comment on or make changes to this bug.